Does Business Strategy Influence Cybersecurity Risk Disclosures?

SynopsisThe research problemThis study examines the influence of firms' business strategies on their cybersecurity risk disclosures (CRDs).MotivationsThe exponential expansion of the digital economy and the increasing reliance on online data storage and processing have made cybersecurity breaches a critical issue for businesses worldwide. The disclosure of cybersecurity risks is vital in fostering transparency and communication between firms and external stakeholders. This study draws from the Miles and Snow (1978) strategic typology to explore how firms' chosen strategies influence their CRDs. This investigation is important because firms that adopt a prospector- or a defender-type strategy have different strategic focuses, leading to varying degrees of exposure to cybersecurity risks. As a result, these firms have various incentives to engage in CRDs. By enhancing our understanding of CRDs' determinants, this study provides insights into the way in which business strategies shape firms' approaches to communicating cybersecurity risks.Despite the increasing scholarly attention paid to firms' disclosure of cybersecurity risks, there remains a lack of literature concerning the factors influencing the extent of CRDs. Our study fills the gap in the literature by investigating how firms' business strategies shape CRDs. By uncovering the influence of business strategies on CRDs, our study provides valuable insights into the information environment within firms.The test hypothesesHypothesis 1a posits that firms adopting a prospector-type strategy are more likely to make more CRDs than firms following a defender-type strategy. Conversely, Hypothesis 1b suggests that firms with a prospector-type strategy are less inclined to provide extensive CRDs than their defender-type counterparts.Target populationRegulators, investors, and other stakeholders.Adopted methodologyOrdinary least squares regressions.AnalysesOur independent variable of interest is business strategies, which we categorized into prospectors, analyzers, and defenders based on the Miles & Snow (1978) strategic typology. As our dependent variable, we employ the CRD score developed by Florackis et al. (2023), which utilizes machine learning-based textual analysis to quantify CRDs. As for the analysis of consequences, we use Tobin's Q as an indicator of firm value.FindingsWe find that firms adopting a prospector-type strategy are more inclined to provide extensive CRDs than firms following a defender-type strategy. Moreover, we observe that the impact of business strategies on CRDs is heightened in firms with strong corporate governance attributes, including effective boards, robust internal controls, and the engagement of industry expert auditors or Big Four accounting firms. In addition, our findings indicate that the strengthened relationship between business strategies and CRDs contributes positively to firm value.